Password - Clear-Text password that should be stored in IronWifi database for local verification

Status - User account can be Enabled (user can authenticate) or Disabled (authentication request will always be rejected)

Login Time - time span when the user is allowed to authenticate. Valid examples: Wk2305-0855, Sa, Su2305-1655. Any or Al means all days. All Times are in UTC timezone.

Creation Date - when the user account was created.

Last seen - last authentication attempt using this username

Groups

The user can be a member of multiple groups and inherit attributes from these groups. To add a user to a Group, click Add to Group button, select Group and assign Priority. Click Save to save this membership information.

Priority - determines the order how the group membership should be evaluated, starting with 1 (highest priority), down to 10 (lowest priority). Evaluation will continue through all groups until a match is found - all Check Attributes match the request. If this happens, group Reply attributes will be added to the Response, and no further Groups will be checked.

Certificates

IronWifi allows certificate based authentication using EAP TLS authentication protocol. Every user can have multiple certificates that can be installed on different devices. To generate a certificate, click Add Certificate button, select Distribution and Validity. Click Create to generate a new certificate.

Distribution - certificates need to be installed on user's device to work. Three options are available to obtain generated certificate:

Download certificate - certificate will be automatically downloaded to administrator's browser. An import password will be displayed in the pop-up window.

Email certificate to the User - user will obtain an email with a certificate in attachment. Import password is included in the email. This method requires the user to have valid email address.

Email download link to the User - an email is sent to the user with an import password and a link to download the certificate. The certificate can be downloaded only once. Valid email address in the user profile is required to deliver the email.

Attributes

Users can have check and reply attributes. These attributes are used to control session behavior and provide a control mechanism for your NAS controller. Additional attributes can be inherited from assigned Organizational Unit or Group.

To add an attribute to a user, click Add Attribute button. In the pop-up window, you can search for an attribute by name or select a vendor and its attributes.

Table - you can select the type of this attribute:

check - received attribute value is compared to the pre-defined value

reply - if check attribute match, this reply attribute is returned to the NAS/Controller for further processing

Operator - The following is a list of operators, and their meaning.

Operator

Example

Use with 'check' items

Use with 'reply' items

=

Attribute = Value

Not allowed as a check item for RADIUS protocol attributes. It is allowed for server configuration attributes (Auth-Type, etc), and sets the value of on attribute, only if there is no other item of the same attribute.

As a reply item, it means "add the item to the reply list, but only if there is no other item of the same attribute."

:=

Attribute := value

Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added.

As a reply item, it has an identical meaning, but for the reply items, instead of the request items.

==

Attribute == Value

As a check item, it matches if the named attribute is present in the request, AND has the given value.

Not allowed as a reply item.

+=

Attribute += Value

Always matches as a check item, and adds the current attribute with value to the list of configuration items.

As a reply item, it has an identical meaning, but the attribute is added to the reply items.

!=

Attribute != Value

As a check item, matches if the given attribute is in the request, AND does not have the given value.

Not allowed as a reply item.

>

Attribute > Value

As a check item, it matches if the request contains an attribute with a value greater than the one given.

Not allowed as a reply item.

>=

Attribute >= Value

As a check item, it matches if the request contains an attribute with a value greater than, or equal to the one given.

Not allowed as a reply item.

<

Attribute < Value

As a check item, it matches if the request contains an attribute with a value less than the one given.

Not allowed as a reply item.

<=

Attribute <= Value

As a check item, it matches if the request contains an attribute with a value less than, or equal to the one given.

Not allowed as a reply item.

=~

Attribute =~ Expression

As a check item, it matches if the request contains an attribute which matches the given regular expression. This operator may only be applied to string attributes.

Not allowed as a reply item.

!~

Attribute !~ Expression

As a check item, it matches if the request contains an attribute which does not match the given regular expression.

Not allowed as a reply item.

=*

Attribute =* Value

As a check item, it matches if the request contains the named attribute, no matter what the value is.

Not allowed as a reply item.

!*

Attribute !* Value

As a check item, it matches if the request does not contain the named attribute, no matter what the value is.

Not allowed as a reply item.

Value - Provides the value of the Attribute. For time-related attributes, the value is usually in seconds. For data-related attributes, the value is representing bytes.